This time sensitive and personal data of millions of transporters in Sweden, along with the nation’s military secrets, have been exposed, putting every individual’s as well as national security at risk.

Who exposed the sensitive data? The Swedish government itself.

Swedish media is reporting of a massive data breach in the Swedish Transport Agency (Transportstyrelsen) after the agency mishandled an outsourcing deal with IBM, which led to the leak of the private data about every vehicle in the country, including those used by both police and military.

The data breach exposed the names, photos and home addresses of millions of Swedish citizen, including fighter pilots of Swedish air force, members of the military’s most secretive units, police suspects, people under the witness relocation programme, the weight capacity of all roads and bridges, and much more.

The incident is believed to be one of the worst government information security disasters ever.

Here’s what and How it Happened:

In 2015, the Swedish Transport Agency hand over IBM an IT maintenance contract to manage its databases and networks.

However, the Swedish Transport Agency uploaded IBM’s entire database onto cloud servers, which covered details on every vehicle in the country, including police and military registrations, and individuals on witness protection programs.

The transport agency then emailed the entire database in messages to marketers that subscribe to it.

And what’s terrible is that the messages were sent in clear text.

When the error was discovered, the transport agency merely thought of sending a new list in another email, asking the subscribers to delete the old list themselves.

If you think the scandal ends there, you are wrong. The outsourcing deal gave IBM staff outside Sweden access to the Swedish transport agency’s systems without undergoing proper security clearance checks.

IBM administrators in the Czech Republic were also given full access to all data and logs, according to Swedish newspaper Dagens Nyheter (DN), which analysed the Säpo investigation documents.

According to Pirate Party founder and now head of privacy at VPN provider Private Internet Access Rick Falkvinge, who broughtdetails of this scandal, the incident “exposed and leaked every conceivable top secret database: fighter pilots, SEAL team operators, police suspects, people under witness relocation.”

Tons of Sensitive Info Exposed about Both Individuals and Nation’s Critical Infrastructures

According to Falkvinge, the leak exposed:

The weight capacity of all roads as well as bridges (which is crucial for warfare, and gives a lot idea about what roads are intended to be used as wartime airfields).

Names, photos, and home addresses of fighter pilots in the Air Force.

Names, photos, and home addresses of everybody in a police register, which are believed to be classified.

Names, photos, and residential addresses of all operators in the military’s most secret units that are equivalent to the SAS or SEAL teams.

Names, photos, and addresses of everybody in a witness relocation program, who has been given protected identity for some reasons.

Type, model, weight, and any defects in all government and military vehicles, including their operator, which reveals a much about the structure of military support units.

Although the data breach happened in 2015, Swedish Secret Service discovered it in 2016 and started investigating the incident, which led to the fire of STA director-general Maria Ågren in January 2017.

Ågren was also fined half a month’s pay (70,000 Swedish krona which equals to $8,500) after finding her guilty of being “careless with secret information,” according to the publication.

What’s the worrying part? The leaked database may not be secured until the fall, said the agency’s new director-general Jonas Bjelfvenstam. The investigation into the scope of the leak is still ongoing.

The networking company, through its security wing Talos Group, patched the vulnerabilities being used by the exploit kit, cutting off affected machines from the command-and-control infrastructure.

“This is a significant blow to the emerging hacker economy where ransomware and the black market sale of stolen [intellectual property, credit card info and personally identifiable information are generating hundreds of millions of dollars annually,” said the researchers in a blog post.

The exploit kit helped to generate vast sums by gaining access to computers, and holding them hostage for a ransom price, which must be paid within a limited time frame to gain back access to their device.

US federal agents warned earlier this year that so-called ransomware, which encrypts files and documents without the owner’s permission, costs consumers $18 million a year.

A recently disclosed vulnerability in Bind, the most widely used software for translating human-friendly domain names into IP addresses used by servers, makes it possible for lone-wolf attackers to bring down huge swaths of the Internet, a security researcher has warned.The flaw, which involves the way that Bind handles some queries related to transaction key records, resides in all major versions of the software from 9.1.0 to 9.8.x, 9.9.0 to 9.9.7-P1, and 9.10.0 to 9.10.2-P2. Attackers can exploit it by sending vulnerable servers a malformed packet that’s trivial to create. Vulnerable servers, in turn, will promptly crash. There are no indications that the vulnerability is being actively exploited in the wild, and the bug wasn’t disclosed until a fix was in place. Still, the critical vulnerability underscores the fragility of Bind, which despite its three decades in use and unwieldy code remains the staple for the Internet’s domain name system.Rob Graham, CEO of penetration testing firm Errata Security, reviewed some of the Bind source code and the advisory that Bind developers issued earlier this week and made this sobering assessment:BIND9 is the oldest and most popular DNS server. Today, they announced a DoS vulnerability was announced that would crash the server with a simply crafted query. I could use my “masscan” tool to blanket the Internet with those packets and crash all publicly facing BIND9 DNS servers in about an hour. A single vuln doesn’t mean much, but if you look at the recent BIND9 vulns, you see a pattern forming. BIND9 has lots of problems—problems that critical infrastructure software should not have.Its biggest problem is that it has too many features. It attempts to implement every possible DNS feature known to man, few of which are needed on publicly facing servers. Today’s bug was in the rarely used “TKEY” feature, for example. DNS servers exposed to the public should have the minimum number of features—the server priding itself on having the maximum number of features is automatically disqualified.Normally, denial-of-service bugs receive low-severity ratings, but when they’re present in servers that form the Internet’s very core, the risks are much higher. Graham regularly scans almost the entire Internet to get an estimate of how many servers remain affected by the Heartbleed vulnerability in OpenSSL and other major software weaknesses. He said Bind’s code base still isn’t as bloated as that of OpenSSL, but it’s much slower than it should be despite being written using C and C++. The result: Bind has all the security weaknesses that come with those programming languages without the speed that often justifies their use anyway.Graham concluded:The point I’m trying to make here is that BIND9 should not be exposed to the public. It has code problems that should be unacceptable in this day and age of cybersecurity. Even if it were written perfectly, it has far too many features to be trustworthy. Its feature-richness makes it a great hidden master, it’s just all those feature get in the way of it being a simple authoritative slave server, or a simple resolver. They shouldn’t rewrite it from scratch, but if they did, they should choose a safe language and not use C/C++.

The problem stems from the way Android phones analyze incoming text messages. Even before you open a message, the phone automatically processes incoming media files — including pictures, audio or video. That means a malware-laden file can start infecting the phone as soon as it’s received, according Zimperium, a cybersecurity company that specializes in mobile devices.

But in that case, a text message with just the right characters could freeze an iPhone or force it to restart. This Android flaw is worse, because a hacker could gain complete control of the phone: wiping the device, accessing apps or secretly turning on the camera.

In a statement to CNNMoney, Google(GOOGL, Tech30) acknowledged the flaw. It assured that Android has ways of limiting a hacker’s access to separate apps and phone functions. Yet hackers have been able to overcome these limitations in the past.

The bug affects any phone using Android software made in the last five years, according to Zimperium. That includes devices running Android’s Froyo, Gingerbread, Honeycomb, Ice Cream Sandwich, Jelly Bean, KitKat and Lollipop iterations (Google names its Android versions alphabetically after desserts).

Zimperium said it warned Google about the flaw on April 9 and even provided a fix. The company claims Google responded the very next day, assuring a patch would be shared with customers in the future.

Typically, in these situations, companies are given a 90-day grace period to issue a fix. It’s a rule even Google abides by when it finds flaws in others’ software.

But it’s been 109 days, and a fix still isn’t largely available. That’s why Zimperium is now going public with the news.

The issue now is how quickly Google will manage to fix this for everybody. While Apple can push out updates to all iPhones, Google can’t.

Google is notorious for having a fractured distribution system. Several entities stand in between Google and its users, and they routinely slow down the release of new software. There’s phone carriers — like AT&T(T, Tech30) and Verizon(VZ, Tech30) — and makers of physical devices — likeSamsung(SSNLF) — all of which need to work together to issue software updates.

Google told CNNMoney it already sent a fix to its “partners.” However, it’s unclear if any of them have started pushing that out to users themselves.

Talented hackers have caused “serious damage” after breaching a German steel mill and wrecking one of its blast furnaces.The hack of the unnamed mill, detailed in the annual report of the German Federal Office of Information Security, was pulled off after a victim fell for a phishing email.Hackers then pivoted to the production network, a feat that should not be possible according to best practice that requires separation between industrial control systems and the public internet.”The result was that a blast furnace could be shut down,” the agency wrote in a report (page 31, Deutsche).”The attackers were knowledgeable in conventional IT security and had extensive knowledge of applied control and production processes.”

The advanced persistent threat hackers specifically targeted industrial plants but their location was not specified.The attacks likely demonstrated the mill had not employed sufficient separation of internet-facing and critical production networks.Attacks against industrial control systems were common but public reporting of resulting physical damage was rare.In June, Finnish malware probers F-Secure reported that remote access trojans had infected manufacturers of industrial control and SCADA software in France, Germany and Russia by a group that was not considered overly advanced.Last year, Trend Micro researcher Kyle Wihoit proved the hacker interest in industrial systems through a SCADA honeypot that was attacked within 18 hours of being established on the public internet.

Vendors have throughout the year pushed out patches for various industrial control systems. Patching however could due to configurations and dependencies be difficult to near impossible to complete for some operators. ®

The Internet Corporation for Assigned Names and Numbers (ICANN) has been hacked by unknown attackers that allowed them to gain administrative access to some of the organization’s systems, the organization confirmed.

The attackers used “spear phishing” campaign to target sensitive systems operated by ICANN and sent spoofed emails disguised as internal ICANN communications to its staff members. The link in the emails took the staff to bogus login page, where they provided their usernames and passwords with the keys to their work email accounts.

The data breach began in late November 2014 and was discovered a week later, ICANN, which oversees the Internet’s address system, said in a release published Tuesday. ICANN is the organization that manages the global top-level domain system.

“We believe a ‘spear phishing’ attack was initiated in late November 2014,” Tuesday’s press release stated. “It involved email messages that were crafted to appear to come from our own domain being sent to members of our staff. The attack resulted in the compromise of the email credentials of several ICANN staff members.”

With those details, the hackers then successfully managed to access a number of systems within ICANN, including the Centralized Zone Data System (CZDS), the wiki pages of the ICANN Governmental Advisory Committee (GAC), the domain registration Whois portal, and the ICANN blog.

The CZDS is a service used by domain registries and other interested parties to request access to the DNS root zone files and sensitive data associated with users’ online accounts. This provided hackers access to zone files and sensitive information such as names, postal addresses, email addresses, fax and phone numbers, usernames and cryptographically hashed passwords of account holders who used those systems.

The zone files contain sensitive and valuable information, including domain names, the name server names associated with those domains and the IP addresses for the name servers.

In an email sent to every CZDS user, ICANN has warned that “the attacker obtained administrative access to all files in the CZDS including copies of the zone files in the system. The information you provided as a CZDS user might have been downloaded by the attacker. This may have included your name, postal address, email address, fax and telephone numbers, and your username and password.”

More than 12 million routers in homes and businesses around the world are vulnerable to a critical software bug that can be exploited by hackers to remotely monitor users’ traffic and take administrative control over the devices, from a variety of different manufacturers.The critical vulnerability actually resides in web server “RomPager” made by a company known as AllegroSoft, which is typically embedded into the firmware of router , modems and other “gateway devices” from about every leading manufacturer.

The HTTP server provides the web-based user-friendly interface for configuring the products.Researchers at the security software company Check Point have discovered that the RomPager versions prior to 4.34 — software more than 10 years old — are vulnerable to a critical bug, dubbed as Misfortune Cookie. The flaw named as Misfortune Cookie because it allows attackers to control the “fortune” of an HTTP request by manipulating cookies.HOW MISFORTUNE COOKIE FLAW WORKSThe vulnerability, tracked as CVE-2014-9222 in the Common Vulnerabilities and Exposures database, can be exploited by sending a single specifically crafted request to the affected RomPager server that would corrupt the gateway device’s memory, giving the hacker administrative control over it. Using which, the attacker can target any other device on that network.

“Attackers can send specially crafted HTTP cookies [to the gateway] that exploit the vulnerability to corrupt memory and alter the application and system state,” said Shahar Tal, malware and vulnerability research manager with Check Point. “This, in effect, can trick the attacked device to treat the current session with administrative privileges – to the misfortune of the device owner.Once attackers gain the control of the device, they could monitor victims’ web browsing, read plaintext traffic traveling over the device, change sensitive DNS settings, steal account passwords and sensitive data, and monitor or control Webcams, computers, or other network connected devices.

MAJOR ROUTERS & GATEWAY BRANDS VULNERABLEAt least 200 different models of gateway devices, or small office/home office SOHO routers from various manufacturers and brands are vulnerable to Misfortune Cookie, including kit from D-Link, Edimax, Huawei, TP-Link, ZTE, and ZyXEL.

An advanced piece of malware, newly uncovered, has been in use since as early as 2008 to spy on governments, companies and individuals, Symantec said in a report released Sunday.The Regin cyberespionage tool uses several stealth features to avoid detection, a characteristic that required a significant investment of time and resources and that suggests it’s the product of a nation-state, Symantec warned, without hazarding a guess about which country might be behind it. The malware’s design makes it highly suited for long-term mass surveillance, according to the maker of antivirus software.”Regin’s developers put considerable effort into making it highly inconspicuous. Its low key nature means it can potentially be used in espionage campaigns lasting several years,” the company said in a statement. “Even when its presence is detected, it is very difficult to ascertain what it is doing.”The highly customizable nature of Regin, which Symantec labeled a “top-tier espionage tool,” allows for a wide range of remote access Trojan capabilities, including password and data theft, hijacking the mouse’s point-and-click functions, and capturing screenshots from infected computers. Other infections were identified monitoring network traffic and analyzing email from Exchange databases.Cyberespionage is a sensitive subject, often straining diplomatic relations between countries. The US and China have tussled for years over accusations of electronic spying. The US has accused China’s government and military of engaging in widespread cyberespionage targeting US government and business computer networks. China has denied the charges and accused the US of similar behavior targeting its own infrastructure.Related stories Russian government gathers intelligence with malware: report Former NSA director speaks out on spying, Stuxnet, defense China cyberspies hit US national security think tanks Behind US-China cyberspy tensions: The view from Beijing Q&ASome of Regin’s main targets include Internet service providers and telecommunications companies, where it appears the complex software is used to monitor calls and communications routed through the companies’ infrastructure. Other targets include companies in the airline, energy, hospitality and research sectors, Symantec said.The malware’s targets are geographically diverse, Symantec said, observing more than half of the infections in Russia and Saudi Arabia. Among the other countries targeted are Ireland, Mexico and India.Regin is composed of five attack stages that are hidden and encrypted, with the exception of the first stage, which begins a domino chain of decrypting and executing the next stage. Each individual stage contains little information about malware’s structure. All five stages had to be acquired to analyze the threat posed by the malware.The multistage architecture of Regin, Symantec said, is reminiscent of Stuxnet, a sophisticated computer virus discovered attacking a nuclear enrichment facility in Iran in 2010, and Duqu, which has identical code to Stuxnet but which appeared designed for cyber espionage instead of sabotage.Symantec said it believes that many components of Regin remain undiscovered and that additional functionality and versions may exist.”Regin uses a modular approach,” Symantec said, “giving flexibility to the threat operators as they can load custom features tailored to individual targets when required.”

Related Stories

Companies are being warned about ongoing hack attacks that target hi-tech entrepreneurs and other corporate executives in their hotel rooms.

The campaign has been dubbed DarkHotel and is believed to single out specific senior staff when they log in to the net via wi-fi or an Ethernet cable.

The technique puts data at risk even if the employees are using encryption.

The attacks began in 2007, according to research firm Kaspersky Lab.

“The fact that most of the time the victims are top executives indicates the attackers have knowledge of their victims’ whereabouts, including name and place of stay,” said the Russian security company.

“This paints a dark, dangerous web in which unsuspecting travellers can easily fall.”

The firm’s research indicates the majority of the attacks to date have taken place in Japan but that visitors to hotels in Taiwan, mainland China, Hong Kong, Russia, South Korea, India, Indonesia, Germany, the US and Ireland have also been targeted.

It said that the effort was “well-resourced”, but it was unclear who was responsible.

One independent expert said the hacks should not come as too much of a shock.

The malware was attached to legitimate updates for Adobe Flash and other software

“It’s unsurprising given the high value of the targets,” commented Dr Ian Brown, from the Oxford Internet Institute.

“This is perhaps a wake-up call to big company CEOs who weren’t already aware that this kind of thing was going on.”

Copied certificates

The scheme works by requesting that the targeted user installs an update to a popular software package shortly after they connect to the net.

Examples include new versions of Adobe Flash, Google Toolbar and Windows Messenger.

The installation files include legitimate software, but with the DarkHotel code added on.

To prevent the malware being detected, the hackers use certificates – the equivalent of a digital password, used under normal circumstances to confirm software is trustworthy.

The majority of the detected attacks targeted visitors to Japanese hotels

They were able to do this by taking copies of valid certificates that were protected by relatively weak levels of encryption, which they were capable of breaking.

Kaspersky said that examples of spoofed certificates that its researchers had found included ones issued by Deutsche Telekom, Cybertrust and Digisign.

The result is that the hackers can then employ other types of malware.

These are said to include:

Keyloggers – used to record and transmit a user’s individual keyboard and mouse presses in order to monitor their activity

Information stealers – used to copy data off the computer’s hard drive, including passwords stored by internet browsers, and the logins for cloud services including Twitter, Facebook, Mail.ru and Google

Trojans – used to scan a system’s contents, including information about the anti-virus software it has installed. The findings are then uploaded to the hackers’ computer servers

Droppers – software that installs further viruses on the system

Selective infectors – code that spreads the malware to other computer equipment via either a USB connection or shared removable storage. These targets appeared to be “systematically vetted” before being infected

Small downloaders – files designed to contact the hackers’ server after 180 days. The belief is that this is intended to let them take back control if some of the other malware is detected and removed

The researchers said workers for electronics manufacturers, pharmaceutical companies, cosmetic makers, car designers, the military and non-governmental organisations had all been targeted.

They added that the employees had probably been identified by the last name and room number they were required to enter in order to access the internet, inferring that they must have had a separate way to determine their targets’ travel dates, assigned room numbers and other details.

“The attackers were also very careful to immediately delete all traces of their tools as soon as an attack was carried out successfully,” they added.

A group of cybersecurity firms funded by big banks plan to launch a platform that will allow financial companies to communicate faster about potential cyber breaches, the Wall Street Journal reported.

The move follows cybersecurity attacks on some big banks last month, where JPMorgan Chase & Co’s computer systems were hacked exposing the contact details of 73 million households and 7 million small businesses.

The group gathered funds from 16 banks including JPMorgan, Citigroup Inc , BB&T Corp and U.S. Bancorp, to help lead the effort, the newspaper said.

The product, called ‘Soltra Edge’, is being launched by Financial Services Information Sharing Analysis Center (FS-ISAC) and the Depository Trust & Clearing Corp (DTCC). It has been in works for more than a year and is expected to be out next month, the report said.

Earlier this year, JP Morgan said it expects to spend more than $250 million on cyber security, with about 1,000 people working on that area, after being warned by U.S. regulators about the threat of rising cyber attacks on bank machines.

A pilot version of Soltra was used in spreading the information received by FS-ISAC from JPMorgan after the breach, the Journal said, citing sources.

Soltra, which offers a free edition as well as a paid one, will help track threat information within seconds, a spokesman for Soltra told Reuters.

FS-ISAC and DTCC could not be reached immediately for comments outside regular U.S. business hours.